Component removal using package-url in filter.json does not work; documentation lacks examples

[maheshmurali1979]

Issue Description

Summary

When using RepositoryId (package-url / purl) in filter.json to remove components, capycli does not match or remove the component. The same filtering mechanism works when using other fields like Name, but purl-based matching does not trigger any removal.

There is also no documentation or examples showing how RepositoryId-based filtering is intended to work (exact match, prefix match, wildcards, etc.).

Filter File Used

The following is the exact filter.json used:

{
  "Components": [
    {
      "component": {
        "RepositoryId": "pkg:maven/it.softeco*"
      },
      "Mode": "remove"
    }
  ]
}

Observed Behavior

• No components are removed from the SBOM.
• Wildcard matching (*) has no effect.
• Using RepositoryId alone results in zero matches, even when the SBOM contains components with purls like:
  pkg:maven/it.softeco.example/library@1.0.0

Expected Behavior

• Components whose RepositoryId (purl) starts with or equals pkg:maven/it.softeco should be matched and removed.
• capycli should support:
  • exact purl matching
  • wildcard/prefix matching (if intended)
• RepositoryId filtering should behave consistently with Name/Version filtering.

Steps to Reproduce

1. Use any SBOM (CycloneDX XML/JSON) containing Maven components whose purl begins with pkg:maven/it.softeco...
2. Create the above filter.json.
3. Run the capycli command that applies filters (e.g., components apply-filter or the equivalent).
4. Observe that:
   • No components are matched.
   • The output SBOM is unchanged.

Actual Behavior

• The component removal based on RepositoryId does not work.
• No documentation describes whether:
  • RepositoryId is supported for filtering
  • purl needs to be exact or normalized
  • wildcards are supported for purl matching

Environment

capycli version: 2.10.1
Python version: 3.13.7
OS: Microsoft Windows [Version 10.0.22631.6649]
SBOM format: CycloneDX JSON

Requested Actions

1. Confirm whether RepositoryId (purl) matching is officially supported in filters.
2. If supported, fix the logic so purl-based filtering works correctly.
3. Document how RepositoryId matching is supposed to work:
   • exact match?
   • prefix match?
   • wildcard support?
4. Provide at least one example in the documentation showing valid RepositoryId-based filtering in filter.json.

[tngraf]

Hi @maheshmurali1979,

I tried to reproduce the issue, but for me everything works fine.

Please have a look at my test data:

• zsbom_to_filter.json => the SBOM to get filtered
• zfilter.json => a filter file with a fully specified purl (pkg:pypi/beautifulsoup4@4.14.3)
• zfilter2.json => a filter file with a wildcard purl (pkg:pypi/beautiful*)
• zsbom_filtered.json => the filtered SBOM

Command run:

capycli bom filter -i .\zsbom_to_filter.json -o .\zsbom_filtered.json -filterfile .\zfilter2.json -v

In both cases the desired component got removed.

Could you upload all your data files?

zsbom_to_filter.json
zfilter.json
zfilter2.json
zsbom_filtered.json

[maheshmurali1979]

Hi @tngraf,

Thanks for the response. I think I now understand the root cause of the issue.

When I run the filter the first time and the SBOM contains components that match entries in the filter file, the filtering works correctly. However, when I provide an SBOM that does not contain any components matching the filter file, the capycli tool crashes.

This is an issue for me because I need to process a large number of SBOM files, and in many of them the components specified in the filter file do not exist. In such cases, instead of simply returning the same input SBOM as the filtered output (since nothing matches the filter), the tool crashes. When this happens, the filtering process stops for the remaining SBOMs, and the system ends up uploading all components without any filtering applied.

You can reproduce the issue as follows:

1. Run the filter command using zfilter2.json as you described. You should get the expected filtered output zsbom_filtered.json:

capycli bom filter -i .\zsbom_to_filter.json -o .\zsbom_filtered.json -filterfile .\zfilter2.json -v

2. Now run the filter again with the same filter file, but using the filtered SBOM (zsbom_filtered.json) as the input:

capycli bom filter -i .\zsbom_filtered.json -o .\zsbom_filtered1.json -filterfile .\zfilter2.json -v

At this point capycli crashes because none of the components in the input SBOM match the filter file.

This is the error message I receive when it crashes:

Loading SBOM file .\zsbom_filtered.json
  1 component read from SBOM
Applying filter file .\zfilter2.json
  Got 1 filter entries
  Total 1 filter entries
Traceback (most recent call last):
  File "<frozen runpy>", line 198, in _run_module_as_main        
  File "<frozen runpy>", line 88, in _run_code
  File "D:\Workspaces\vscode\python\sw360\.venv\Scripts\capycli.exe\__main__.py", line 5, in <module>
    sys.exit(main())
             ~~~~^^
  File "D:\Workspaces\vscode\python\sw360\.venv\Lib\site-packages\capycli\main\cli.py", line 28, in main
    app.run(argv)
    ~~~~~~~^^^^^^
  File "D:\Workspaces\vscode\python\sw360\.venv\Lib\site-packages\capycli\main\application.py", line 159, in run
    self._run(argv)
    ~~~~~~~~~^^^^^^
  File "D:\Workspaces\vscode\python\sw360\.venv\Lib\site-packages\capycli\main\application.py", line 140, in _run
    handle_bom.run_bom_command(self.options)
    ~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^
  File "D:\Workspaces\vscode\python\sw360\.venv\Lib\site-packages\capycli\bom\handle_bom.py", line 68, in run_bom_command 
    app2.run(args)
    ~~~~~~~~^^^^^^
  File "D:\Workspaces\vscode\python\sw360\.venv\Lib\site-packages\capycli\bom\filter_bom.py", line 322, in run
    sbom = self.filter_bom(sbom, args.filterfile)
  File "D:\Workspaces\vscode\python\sw360\.venv\Lib\site-packages\capycli\bom\filter_bom.py", line 256, in filter_bom     
    filterentry["component"]["Name"] + ", " +
    ~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^
KeyError: 'Name'

Note: The issue does not appear when filter is based on Name but happens when it is based on RepositoryId

[maheshmurali1979]

If this is a defect, can it be fixed?

[tngraf]

Yes, this is a defect!
I could say that it works fine without the verbose (-v) flag, but it is still a defect.